Home page logo
/

pen-test logo Penetration Testing mailing list archives

Controling the eip
From: wymerzp () sbu edu
Date: 15 May 2007 00:04:13 -0000

I am trying to learn about computer security. I picked up the book Shellcoder's Handbook (ISBN: 0-7645-4468-3)
I understand the concepts in the beginning but I keep on getting a funny result. Basically I wrote a program that had a 
buffer overflow in it:
I run it and enter A's into the program (it recieves user input)-->hit enter and get a segmentation fault/core 
dump-perfect. When I inspect the stack with gdb it over-writes the eip with 0x41414141. 
I then look at the buffer size of the function as well as the address of said function (the purpose being to overflow 
the buffer, control eip to make the function iterate again) and the buffer size is 0x24 (36) and the address is 
0x08048405.
I then write a program to translate the hex into ASCII cleanly to insert into the buffer:

#include <stdio.h>

main()
{
    int i=0;
    char stuffing[44];
    for (i=0; i<=44; i+=4)
    {
        *(long *) &stuffing[i] = 0x08048405;
        puts(stuffing);
    }
}

I then run the program and input the address as ASCII into the buffer as follows: 
bash# (./addresstochar;cat) | ./overflow
which doesn't make the program iterate twice and doesn't change eip on inspection of the stack. What am I doing wrong 
here? I tried to be as thorough as possible; please forgive my verbosity. Thanks, Zach


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault